Forum

Print view
Board index Programming Engine Programming

"save pak0.pak" vulnerability

Discuss programming topics for the various GPL'd game engine sources.

Moderator: InsideQC Admins

Post a reply

Re: "save pak0.pak" vulnerability

Postby frag.machine » Tue Apr 29, 2014 12:24 pm

Related to this, all file related builtins from FRIK_FILE extension can do the same damage, even worst. They ought to be at least confined to the files inside the current gamedir.
I know FrikaC made a cgi-bin version of the quakec interpreter once and wrote part of his website in QuakeC :) (LordHavoc)
User avatar
frag.machine
 
Posts: 2090
Joined: Sat Nov 25, 2006 1:49 pm
Top

Re: "save pak0.pak" vulnerability

Postby Spirit » Tue Apr 29, 2014 4:11 pm

The question is, are there any Quake players with significant amounts of Cryptocoins on their machines. 8)
Improve Quaddicted, send me a pull request: https://github.com/SpiritQuaddicted/Quaddicted-reviews
Spirit
 
Posts: 1031
Joined: Sat Nov 20, 2004 9:00 pm
Top

Re: "save pak0.pak" vulnerability

Postby Spike » Tue Apr 29, 2014 5:26 pm

frik_file writes in dp+fte are confined to a gamedir/data/ subdir (but not reads). this prevents them from overwriting pak0.pak etc.
Spike
 
Posts: 2892
Joined: Fri Nov 05, 2004 3:12 am
Location: UK
Top

Re: "save pak0.pak" vulnerability

Postby leileilol » Wed Apr 30, 2014 1:13 pm

Half-Life also fixed this
i should not be here
leileilol
 
Posts: 2783
Joined: Fri Oct 15, 2004 3:23 am
Top
Previous
Post a reply

Return to Engine Programming

Who is online

Users browsing this forum: No registered users and 1 guest